I have an ASP.NET application that's currently accessible via a single domain name, with an SSL certificate. We'd like to be able to access the same application via a second domain name. The non-SSL part is easy, just set up a second host header value for the website in IIS. We know we'll need a second SSL certificate for the second domain, and of course a second IP address to run the two certificates in parallel - neither of those is a problem.

The problem is that IIS doesn't seem to let you set up ONE website that has TWO SSL certificates - it seems you can bind the one website to two SSL entries provided each has its own IP, but only using the same certificate.

We'd rather not have a second website entry in IIS because that would mean a complete second copy of the ASP.NET application running - i.e. double the memory usage. The two domains are basically country-specific variations, so we can't use a wildcard certificate with subdomains off a common domain name.

Is there any way to do this? Can IIS be configured to serve up two SSL certificates off one website entry (based on the IP address, of course)? Or is the best way to achieve this to set up a second website in IIS which reverse proxies onto the 'real' website?

4 Answers
4

You shouldn't need a second IP address or a second website. All you need to do is get a new certificate issued for your existing site, with the addition of the "Subject Alternate Name" attribute defined. This will you to use the same SSL cert for multiple fully qualified domain names.

When you connect to an HTTP server, your browser opens a TCP connection on the remote serveur and use it to request a document.
The hostname you are requesting is send only a this moment.
Thus the remote server knows which website you want only when he received this request (thank you Captain Obvious!)

Now if you add SSL, you must proceed to the certificate exchange/verification BEFORE sending the request.
At this time, the webserver doesn't know which website (URL) you requested so it can't choose a certificate.

You will have to define a second website, with either an other IP or TCP port to do this.

While the first statement ("a web site... can only have one certificate assigned") is correct, the second statement ("Your only option is defining two websites") is simply wrong. A single certificate can be issued for multiple FQDNs (similar to a wildcard certificate, but for most browsers, it will not generate a warning message as you might get in some browsers for wildcard certificates).
–
Jessica McKinnonSep 9 '09 at 15:11

True, but it was him who talked about already having two certificates and two IP addresses, and how to use both in IIS on the same website; that's simply not possible. Of course, a certificate with mutiple names is an option.
–
MassimoSep 9 '09 at 16:58